A Review of the Best News of the Week on Identity Management & Web Fraud
CPRA hints at the future of cybersecurity and privacy (Help Net Security, Dec 11 2020)
One of the most notable ballot propositions impacting the privacy and cybersecurity world during the US 2020 election was the passage of the California Privacy Rights Act (CPRA). Predominantly considered an updated version of 2018’s California Consumer Privacy Act (CCPA), the CPRA incorporates several changes other than the highly touted establishment of the California Privacy Protection Agency (CPPA).
Apple’s App Stores Open New Privacy Window for Customers (SecurityWeek, Dec 14 2020)
Apple has begun spelling out what kinds of personal information is being collected by the digital services displayed in its app stores for iPhones and other products made by the trendsetting company.
Privacy Groups Alarmed at Supermarket’s Facial Recognition Trial (Infosecurity Magazine, Dec 11 2020)
Southern Co-operative teamed up with Facewatch in bid to reduce crime
Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~17,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
Subway sandwich scam mystifies loyalty card users (Naked Security – Sophos, Dec 11 2020)
Subway customers have been on the receiving end of a curiously complex phishing scam. We investigate.
Authentication Failure (Schneier on Security, Dec 14 2020)
“This is a weird story of a building owner commissioning an artist to paint a mural on the side of his building — except that he wasn’t actually the building’s owner.
The fake landlord met Hawkins in person the day after Thanksgiving, supplying the paint and half the promised fee. They met again a couple of days later for lunch, when the job was mostly done. Hawkins showed him photographs. The patron seemed happy. He sent Hawkins the rest of the (sorry) dough.”
FTC kicks off sweeping privacy probe of nine major social media firms (Ars Technica, Dec 14 2020)
Consumer privacy has fallen into the FTC’s purview, so it’s digging deep.
IBM Trusteer Exposes Massive Fraud Operation Facilitated by Evil Mobile Emulator Farms (IBM Security Intelligence’, Dec 17 2020)
A major mobile emulator fraud operation broke into bank accounts, IBM Security Trusteer found. Explore the attack and how IBM’s team caught it.
IRS Tax Form Scam (Abnormal Security, Dec 17 2020)
In this attack, scammers impersonate the IRS by sending out a fake tax form to collect valuable personal and financial information. Quick Summary of Attack Target Platform: G SuiteMailboxes: 15,000 – 50,000Victims: VIPPayload: Attachment / Fax NumberTechnique: Spoofing / Impersonation
Tax Relief Biz Exposed Personal Info on 100,000 Clients (Infosecurity Magazine, Dec 11 2020)
Website Planet research reveals misconfigured CMS to blame
One Million US Dental Patients Impacted by Data Breach (Infosecurity Magazine, Dec 10 2020)
Patient data exposed following cyber-attack on Dental Care Alliance
Spotify notifies customers of breach, files under CCPA (SC Media, Dec 14 2020)
Streaming service Spotify has notified an unspecified number of its customers of a data breach, responding by resetting passwords on the accounts that were attacked. The company filed the breach under California’s new privacy law, the California Consumer Privacy Act, which went into effect on Jan. 1.
Google outage tied to authentication system outage, not supply chain attacks (SC Media, Dec 14 2020)
A number of Google applications were offline Monday morning due to an authentication system outage, the technology giant confirmed.
SSO and MFA Are Only Half Your Identity Governance Strategy (Dark Reading, Dec 16 2020)
We need better ways to manage user identities for accessing applications, especially given the strain it places on overworked IT and security teams.
Twitter Fined in Irish GDPR Action (Dark Reading, Dec 15 2020)
The $547K fine results from an issue Twitter reported in 2019.
Ohio Couple Sold Secrets to China (Infosecurity Magazine, Dec 15 2020)
Husband of researcher who sold hospital’s secrets to China admits his part in conspiracy
California Hospital Notifies 67k Patients of Data Breach (Infosecurity Magazine, Dec 15 2020)
October cyber-attack may have exposed data belonging to 67k patients of Sonoma Valley Hospital
Facebook Closes Disinformation Accounts Linked to French Military (SecurityWeek, Dec 15 2020)
Facebook said Tuesday that it had removed two networks based in Russia and one linked to the French military, accusing them of carrying out interference campaigns in Africa.
BigID keeps rolling with $70M Series D on $1B valuation (TechCrunch, Dec 16 2020)
BigID has been on the investment fast track, raising $94 million over three rounds that started in January 2018. Today, that investment train kept rolling as the company announced a $70 million Series D on a valuation of $1 billion. Salesforce Ventures and Tiger Global co-led the round…
DHS Believes Our Reliance on GPS ‘Poses a Risk to National Security’ (VICE, Dec 15 2020)
A 2013 report, newly unearthed under access to information laws, shows how GPS is vulnerable to disruption.
Get started with fine-grained access control in Amazon Elasticsearch Service (AWS Security Blog, Dec 09 2020)
Amazon Elasticsearch Service (Amazon ES) provides fine-grained access control, powered by the Open Distro for Elasticsearch security plugin. The security plugin adds Kibana authentication and access control at the cluster, index, document, and field levels that can help you secure your data.